Google has announced the integration of a Rust-based DNS parser into the Pixel 10 modem firmware, continuing a multi-year effort to harden the cellular baseband against memory-safety exploits. The move follows the company’s earlier work deploying Rust in existing firmware codebases and builds on mitigations shipped with the Pixel 9.

Why the Baseband Is a High-Value Target

The Pixel modem contains tens of megabytes of executable code and presents a substantial remote attack surface. Google’s Project Zero previously demonstrated remote code execution against Pixel modems over the Internet, and the team notes that additional critical memory-safety vulnerabilities likely remain in the predominantly memory-unsafe firmware. The baseband therefore represents a high-priority target for proactive hardening.

Why DNS Was Chosen First

Modern cellular networks rely on DNS even for basic functions such as call forwarding, making DNS parsing a security-sensitive operation that processes untrusted data. The DNS protocol’s complexity, combined with a memory-unsafe implementation, creates real vulnerability exposure. CVE-2024-27227 is cited in the source material as a concrete example of this risk class. Replacing the DNS parser with a Rust implementation eliminates an entire category of memory-safety bugs in that component.

Selecting and Adapting the Library

The team evaluated several open-source Rust DNS crates and selected hickory-proto based on maintenance quality, greater than 75 percent test coverage, and broad community adoption. One significant obstacle was that hickory-proto lacked no_std support, which is required for bare-metal embedded environments. Google engineers added no_std support to hickory-proto and several of its dependencies, contributing the changes upstream. The effort also produced a no_std-compatible URL parser, a side benefit for other projects.

Code Size and Build System Integration

A size-optimized build of the full Rust DNS stack totals approximately 371 KB, broken down as follows:

  • Rust shim layer: roughly 4 KB
  • Core, alloc, and compiler_builtins (one-time cost): roughly 17 KB
  • hickory-proto and its dependencies: roughly 350 KB

The team acknowledges this footprint may be a blocker for more tightly constrained embedded systems and identifies conditional feature flags as a path to reducing it in future work. Because the Pixel modem is not tightly memory-constrained, code quality and community support were prioritized over size optimization.

For build integration, Google chose to compile Rust crates directly through rustc within the existing Pigweed-based build system rather than relying on Cargo-produced static libraries. This approach avoids duplicated symbol errors that can arise when linking multiple static libraries and scales more cleanly as additional Rust components are added. All crates, including hickory-proto, its dependencies, and the standard bare-metal crates, are compiled to rlib format and then linked through a single staticlib target.

Broader Implications

The Pixel team frames this integration as a foundation for wider adoption of memory-safe code across modem firmware, not a one-off replacement. By open-sourcing the no_std contributions and documenting the build system approach, Google is signaling a template that other vendors working on embedded or baseband firmware could follow.